14

I have a problem with a classic asp page and I just cannot solve it since 3 days.

The page is working with Sessions - sometimes it happens that the ASPSESSIONID cookie is set twice in the Request.ServerVariables("HTTP_COOKIE"). This causes the ASP-Page to jump between the two Sessions when the page is refreshed.

I have written an Test page which outputs the current SessionId, the Server Software and the HTTP_COOKIE value.

Sample Output:

Session ID: 308542840

Session Timeout: 20 minutes

Server Software: Microsoft-IIS/6.0

HTTP_COOKIE: ASPSESSIONIDQCBATRAD=MBHHDGCBGGBJBMAEGLDAJLGF; ASPSESSIONIDQCCDTTCB=PGHPDGCBPLKALGGKIPOFIGDM

Why are there two ASPSESSIONIDs? When I refresh the page then it randomly outputs one of the two Session IDs.

Here is a screencast which shows the problem in IE9: http://prinz-alexander.at/asp_test.avi

This error often occurs in ie8 and ie9.

Just do the following to recreate the Problem:

  1. Completely close IE8 or IE9
  2. Start IE8 or IE9 and open http://www.pfiffikus.at/pfiffikus/tests/
  3. Immediatly after the page is loaded refresh the page mutiple times

If you repeat this steps then randomly (not always) the HTTP_COOKIE is populated with two different ASPSESSIONIDs.

The asp test file is only outputing the mentiod values, nothing else is happening in the source code.

This is the code of the asp test file:

<% If trim(Session("test_val")) = "" Then
     Dim my_num
     Randomize
     number = Int((rnd*1000))+1
     Session("test_val") = number
   End If
%>

<b>Session ID:</b>
<% response.write(Session.SessionId) %><br /><br />

<b>Session("test_val"):</b>
<% response.write(Session("test_val")) %><br /><br />

<b>Session Timeout:</b>
<% response.write(Session.Timeout) %> minutes<br /><br />

<b>Server Software:</b>
<% response.write(Request.ServerVariables("SERVER_SOFTWARE")) %><br /> <br />

<b>HTTP_COOKIE:</b> <% response.write(Request.ServerVariables("HTTP_COOKIE")) %>

How can i avoid multiple ASPSESSIONIds in cookies?

Thanks for any help!

Vadzim
  • 24,954
  • 11
  • 143
  • 151
swervedriver
  • 166
  • 1
  • 1
  • 5

7 Answers7

8

I was able to remove those cookies with Javascript.

Just add next script to the end of login page. This will remove all "ASPSESSIONIDXXXXXXX" cookies before user will login to website:

<script type="text/javascript">
    //Clear any session cookies
    (function(){
        var cookiesArr = document.cookie.split("; ");
        for (var i = 0; i < cookiesArr.length; i++) {
            var cItem = cookiesArr[i].split("=");
            if (cItem.length > 0 && cItem[0].indexOf("ASPSESSIONID") == 0) {
                deleteCookie(cItem[0]);
            }
        }

        function deleteCookie(name) {
            var expDate = new Date();
            expDate.setTime(expDate.getTime() - 86400000); //-1 day
            var value = "; expires=" + expDate.toGMTString() + ";path=/";
            document.cookie = name + "=" + value;
        }
    })();
</script>
Vadzim
  • 24,954
  • 11
  • 143
  • 151
Anton Palyok
  • 1,249
  • 1
  • 16
  • 27
  • As absurd as it is to do this, it's exactly what I had to do to avoid maxxing out the cookie size with hundreds of aspsessionid's! – frumbert May 25 '17 at 13:29
  • THANK YOU!!! I have a forest so there are currently 5 IIS 10 Servers running, and the cookies counter and the login cookies would either never get attached to the session or would be deleted after another ASPSession was created. I ran the script that "swervedriver" posted to see that I had over 146 ASPSessions created. Then I attached your script to run on every page to get rid of the ASPSession, if not, I would NEVER know my true count, other than the Google Analytics, but I want my own count as well. Thank you, Anton. – Wayne Barron Jun 20 '23 at 06:13
6

You can use the URL Rewrite mod to rename the session cookie when it is set and use an inbound rewrite rule to revert it back again. Multiple session cookies occur when the session name ID changes, but by giving the session cookie a set name and including the ID within the cookie itself there will only ever be one session cookie at a time.

Use these rewrite rules in web.config to change

ASPSESSIONIDXXXXXXXX=YYYYYYYYYYYYYYYYYYYYYYYY

into

session=XXXXXXXX/YYYYYYYYYYYYYYYYYYYYYYYY

then revert it back again on an inbound request (so it can still be read by IIS):

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
        <rules>
            <clear />
            <!-- "HTTP_COOKIE" must be added to the "allowed server variables" in IIS under URLRewrite -->
            <rule name="session cookie revert">
                <match url="(.*)" />
                <conditions>
                    <add input="{HTTP_COOKIE}" pattern="(.*)session=([0-9a-zA-Z]+)\/([0-9a-zA-Z]+)(.*)" />
                </conditions>
                <serverVariables>
                    <set name="HTTP_COOKIE" value="{C:1}ASPSESSIONID{C:2}={C:3}{C:4}" />
                </serverVariables>
                <action type="None" />
            </rule>
        </rules>
        <outboundRules>
            <rule name="session cookie rewrite">
                <match serverVariable="RESPONSE_Set_Cookie" pattern="ASPSESSIONID([0-9a-zA-Z]+)=([0-9a-zA-Z]+)(.*)" negate="false" />
                <!-- Set the session cookie as HttpOnly during the rewrite. Classic ASP doesn't 
                do this by default, but it's important for preventing XSS cookie stealing. 
                You could also add "; Secure" if you only want the session cookie to be passed 
                over an SSL connection, although this also means the cookie can only be set over 
                an SSL connection too, which could be a problem when testing on localhost. -->
                <action type="Rewrite" value="session={R:1}/{R:2}{R:3}; HttpOnly" />
            </rule>     
        </outboundRules>
    </rewrite>
  </system.webServer>
</configuration>
Adam
  • 836
  • 2
  • 8
  • 13
  • 1
    Thanks, this is a great long-term solution for sites that use Classic ASP. It doesn't get rid of existing ASPSESSIONID cookies, but it prevents them from coming back in the future. – Speednet Mar 02 '19 at 23:16
1

This issue also troubled me for a long time. And I cannot solve it.

It's none of browsers business. My Chrome, Firefox, IE all have this issue.

Sometimes I can see 20+ ASPSESSIONIDXXXX cookies in one page.

I must use javascript to clear the old ASPSESSIONID*** and keep the latest one.

function clearASPSESSIONID(){
  var cks = document.cookie.match(/\b(ASPSESSIONID[A-Z]+)(?==)/g),
      lskey = 'oldASPSESSIONID-'+location.protocol+'//'+location.host,
      old = window.localStorage ? localStorage.getItem(lskey) : '',
      keep, i;
  for(i=0;i<cks.length;i++){
    if((old && old.indexOf(cks[i])<0) || i==cks.length-1){
      keep = cks[i];
    }
  }
  for(i=0;i<cks.length;i++){
    if(keep != cks[i]){
      document.cookie = cks[i] + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
    }
  }
  if(window.localStorage){
    localStorage.setItem(lskey, keep ? keep : '');
  }
}
clearASPSESSIONID();

Update 2023:
I completely disabled the session state in IIS and no ASPSESSIONID was created any more.
Set IIS -> Site -> ASP -> Enable Session State to False. Or modify web.config file like this:

<configuration>
  <system.web>
    <sessionState mode="Off" />
  </system.web>
</configuration>

The disadvantage is that Session is unavailable in ASP.

cuixiping
  • 24,167
  • 8
  • 82
  • 93
  • 1
    The reason you see 20+ ASPSESSIONIDxxxxxx (note number of x's) may be that 1) you have a pool of multiple servers, each of which is not aware of the others 2) The cookie is set for the whole domain, not for the host. You may be able to solve this by restricting the name. see: http://stackoverflow.com/questions/7854288/aspsessionid-name-change HTH – arielf May 16 '13 at 14:22
  • Sometimes this works, sometime it doesn't...Really weird. – Rhys Stephens Dec 16 '16 at 04:50
1

Go to Application pool 'advanced setting" and set "Maximum Worker Processes" to 1.

stelios kaltsounis
  • 11
  • 2
0

In global.asa file:

Sub Session_OnStart

    Dim cookie, cookies : cookies = Split(Request.ServerVariables("HTTP_COOKIE"),";")
    For Each cookie In cookies
        cookie = Trim(Split(cookie,"=")(0))
        If Left(cookie,12) = "ASPSESSIONID" Then
            Response.AddHeader "Set-Cookie", cookie&"=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/"
        End If
    Next

End Sub
Ivan Correa
  • 11
0

Maybe later but could be useful as there is no accepted answer.

In application pool, at recycling options, check if you do not recycle your application too soon or you will ended with an ASPSESSIONIDXXXXXXX for each new application you respawn.

There are several recycling conditions. I set "minimum number of requests" to 1 by mistake and got an ASPSESSIONID for each request

Ernest Collection
  • 2,024
  • 1
  • 13
  • 6
-2

You have assigned a value in your session of the user. Try to fetch your fetch your session like this and assign different unique values to every user

<% 
Session("test") = "test value" 
a=Session("test")
response.Write(a)
%>
polin
  • 2,745
  • 2
  • 15
  • 20
  • ok... I have just edited my test page and added what you have suggested (I am adding a random number to the session, also see edited code in initial question). When I test the page in IE9 I often still get two ASPSessionIds and when I have these to ASPSessionIds in the cookie then on every page request it jumps from one SessionId to the other (each session has its own "test_val") - the "funny" thing about it is that I never get more than exactly two ASPSessionIds in the cookie - this is something I forgot to mention... – swervedriver Oct 09 '12 at 09:22
  • don't response like "response.write Session.SessionId". Simply response like response.write(Session("test")).another thing. Every time you refresh the page the number changes. So a session must be assigned only when a user logs in. – polin Oct 09 '12 at 09:26
  • ...I have added the If statement in the beginning, the Session "test_val" is only set once. If I refresh the page, the number stays the same - is the number still changing after each request in your case? – swervedriver Oct 09 '12 at 09:34
  • There is no my case. It is up to you. What do you want with your session id. I think you need read a bit more about session. Just read the page http://www.w3schools.com/asp/asp_sessions.asp – polin Oct 09 '12 at 09:46
  • Thanks for the link, but I have a good understanding of how sessions are working - the example is working fine but I still have the problem with the ASPSessionID that gets set twice (see HTTP_COOKIE) value in my example. I have created this little test page to show the problem in short, the real application is much bigger. – swervedriver Oct 09 '12 at 10:00
  • A cookie is a browser dependent thing. Different browser will show you different cookie. But a single browser will show you a single. If you close the browser totally and reopen it, then it will show you different cookie. So assign the cookie with your session for a single user – polin Oct 09 '12 at 10:13
  • ...that's what I would expect, but in this very case for a single browser, in a single window and single tab two ASPSessionId cookies are getting set (espacially in IE9). As you can see from my example I do not set the cookie, but the cookie is set automatically (as expected!). The server stores the Session ID in the user's Web browser as a cookie, this is handeled by IIS. – swervedriver Oct 09 '12 at 11:19
  • @AnthonyWJones: I have added a screencast to show the problem as a video (see initial question) – swervedriver Oct 09 '12 at 12:56